GCPcloud~5 mins

Security design principles in GCP - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Security design principles help protect your cloud resources from unauthorized access and damage. They guide how to build systems that keep data safe and services reliable.

When you want to control who can access your cloud storage buckets to keep data private.

When you need to limit what actions users or services can perform on your virtual machines.

When you want to protect your applications from attacks by isolating network traffic.

When you need to ensure that only encrypted data is stored and transmitted.

When you want to monitor and log access to your cloud resources for auditing.

Commands

This command gives Alice read-only access to the project, following the principle of least privilege by granting only necessary permissions.

Terminal

gcloud projects add-iam-policy-binding example-project --member=user:alice@example.com --role=roles/viewer

Expected OutputExpected

Updated IAM policy for project [example-project].

→

--member - Specifies the user or service account to grant permissions.

→

--role - Defines the level of access granted.

This command creates a firewall rule to allow internal traffic within the network, implementing network segmentation to reduce exposure.

Terminal

gcloud compute firewall-rules create allow-internal --direction=INGRESS --priority=1000 --network=default --action=ALLOW --rules=tcp,udp,icmp --source-ranges=10.128.0.0/9

Expected OutputExpected

Creating firewall rule [allow-internal]...done.

→

--direction - Specifies the direction of traffic the rule applies to.

→

--rules - Defines allowed protocols and ports.

This command creates a key for encrypting data, supporting the principle of data protection by encrypting sensitive information.

Terminal

gcloud kms keys create my-key --location=us-east1 --keyring=my-keyring --purpose=encryption

Expected OutputExpected

Created key [my-key].

→

--location - Specifies the region for the key.

→

--purpose - Defines the key's use, here for encryption.

This command sets up logging to capture and store logs from compute instances, enabling monitoring and auditing.

Terminal

gcloud logging sinks create my-sink storage.googleapis.com/my-logs-bucket --log-filter='resource.type=gce_instance' --project=example-project

Expected OutputExpected

Created sink [my-sink].

→

--log-filter - Filters logs to capture specific resource types.

Key Concept

If you remember nothing else from security design principles, remember: always grant the minimum access needed and protect data with encryption and monitoring.

Common Mistakes

Granting broad permissions like owner or editor to all users.

This exposes resources to accidental or malicious changes, increasing risk.

Assign specific roles with only the permissions users need, such as viewer or custom roles.

Not setting firewall rules to restrict network traffic.

This leaves resources open to attacks from any source.

Create firewall rules that allow only necessary traffic from trusted sources.

Storing sensitive data without encryption.

Data can be exposed if storage is compromised.

Use Cloud KMS to encrypt data at rest and in transit.

Summary

Use IAM roles to give users only the permissions they need.

Create firewall rules to control network access and isolate resources.

Encrypt sensitive data using Cloud KMS keys.

Set up logging to monitor access and changes for security auditing.